from lib.cuckoo.common.abstracts import Signature


class TamperLogFile(Signature):
    name = "operation_log_file"
    description = "Attempt to tamper with log files"
    severity = 3
    categories = ["file"]
    authors = ["xuhy"]
    minimum = "2.0"

    filter_apinames = ["NtCreateFile", "NtOpenFile", "NtClose", "NtSetInformationFile", "NtWriteFile", "SetEndOfFile"]

    file_indicators = [
        ".*\\\\AppData\\\\Roaming\\\\Logs\\\\.*",
    ]

    def on_call(self, call, process):
        for indicator in self.file_indicators:
            for match in self.check_file(pattern=indicator, regex=True, all=True):
                self.mark_ioc("file", match)

    def on_complete(self):

        return self.has_marks()
